[Unbound-users] Unbound 1.4.7 release

W.C.A. Wijngaards wouter at NLnetLabs.nl
Mon Nov 8 12:01:49 UTC 2010

Hash: SHA1


Unbound 1.4.7 is available.

You can find it here:
sha1  eb062726e074ebb0e7d64e31495db693defc6a9f
sha256  f04944d10c65a548eb6a5ff17715283d9315d9a6c5585248e90384f10aee5748

There are some bugfixes since 1.4.7rc1, which do not affect the build
process, that are in release 1.4.7

New dependency on libexpat (for parsing xml in unbound-anchor: tool to
get the DNSSEC root key).

Also, GOST is enabled by default, and errors if not supported.  And ldns
if not recent enough there is a configure error (you can use the builtin
or 1.6.7).

If you want to create a package with DNSSEC support then unbound-anchor
is a tool that you can use.  It contains a copy of the root key DS, and
a certificate to update it, it does RFC5011 tracking and https fetches
to keep the DNSSEC root anchor updated.  Just put a line in unbound.conf
and run it before you start unbound, thus, you may want to review your
rc.init scripts.

You can audit the included keys with unbound-anchor -l (or override with
commandline options and it is open source).

There are also some nice bugfixes in 1.4.7 :-)  Here is a long,
detailed, list:

    * unbound-anchor app, unbound requires libexpat (xml parser
library). It creates or updates a root.key file. Use it before you start
the validator (e.g. at system boot time).
    * dump_infra and flush_infra commands for unbound-control.

Bug Fixes
    * GOST code enabled by default (RFC 5933).
    * Configure detects libev-4.00.
    * do not synthesize a CNAME message from cache for qtype DS.
    * Use central entropy to seed threads.
    * Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
    * Fix validation failure for parent and child on same server with an
insecure childzone and a CNAME from parent to child.
    * Change of timeout code. No more lost and backoff in blockage. At
12sec timeout (and at least 2x lost before) one probe per IP is allowed
only. At 120sec, the IP is blocked. After 15min, a 120sec entry has a
single retry packet.
    * no timeout backoff if meanwhile a query succeeded.
    * Configure errors if ldns is not found.
    * Windows 7 fix for the installer.
    * Fix bug where fallback_tcp causes wrong roundtrip and edns
observation to be noted in cache. Fix bug where EDNSprobe halted
exponential backoff if EDNS status unknown.
    * interface automatic works for some people with ip6 disabled.
Therefore the error check is removed, so they can use the option.
    * Fix TCP so it uses a random outgoing-interface.
    * Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
the zone has a secure delegation hosted on the same server did not
verify as secure (it was insecure by mistake).
    * Fix alloc_reg_release for longer uptime in out of memory conditions.
    * [bugzilla: 329 ]
      in example.conf show correct ipv4 link-local 169.254/16.
    * compliance with draft-ietf-dnsop-default-local-zones-14, removed
reverse ipv6 orchid prefix from builtin list.
    * Algorithm rollover operational reality intrudes, for trust-anchor
and 5011-store, if one key matches it's good enough.
    * Fix reported validation error in out of memory condition.
    * Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
    * increased mesh-max-activation from 1000 to 3000 for crazy domains
like _tcp.slb.com with 262 servers.
    * [bugzilla: 327 ]
      Fix for cannot access stub zones until the root is primed.
    * openbsd-lint fixes
    * [bugzilla: 321 ]
      Fix resolution of rs.ripe.net artifacts with 0x20. Delegpt
structures checked for duplicates always. No more nameserver lookups
generated when depth is full anyway.
    * [bugzilla: 322 ]
      Fix, configure does not respect CFLAGS on Solaris. Pass
CFLAGS="-xO4 -xtarget=generic" on the configure command line if use
sun-cc, but some systems need different flags.
    * Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
changes, uses m4_bpatsubst now.
    * make test (or make check) should be more portable and run the unit
test and testbound scripts. (make longtest has special requirements).
    * More pleasant remote control command parsing.
    * Fix name of rrset printed that failed validation.
    * Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
    * Fix validation in case a trust anchor enters into a zone with
unsupported algorithms.
    * iana portlist updated.
    * updated ldns tarball.

Best regards,
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


More information about the Unbound-users mailing list